Use keystone.common.provider_api directly in assignment
Convert use of self.<provider_api> to keystone.common.provider_api.ProviderAPIs.<provider_api> for manager calls. This is the correct way to reference managers now now that the dependency injection has been eliminated. Change-Id: I8e8431750486fc125e277c90557040c11c5802e9
This commit is contained in:
parent
2178447a6d
commit
c063264773
|
@ -22,6 +22,7 @@ from oslo_log import log
|
|||
from keystone.assignment import schema
|
||||
from keystone.common import authorization
|
||||
from keystone.common import controller
|
||||
from keystone.common import provider_api
|
||||
from keystone.common import validation
|
||||
from keystone.common import wsgi
|
||||
import keystone.conf
|
||||
|
@ -31,6 +32,7 @@ from keystone.i18n import _
|
|||
|
||||
CONF = keystone.conf.CONF
|
||||
LOG = log.getLogger(__name__)
|
||||
PROVIDERS = provider_api.ProviderAPIs
|
||||
|
||||
|
||||
class TenantAssignment(controller.V2Controller):
|
||||
|
@ -49,7 +51,7 @@ class TenantAssignment(controller.V2Controller):
|
|||
token_ref = authorization.get_token_ref(request.context_dict)
|
||||
|
||||
tenant_refs = (
|
||||
self.assignment_api.list_projects_for_user(token_ref.user_id))
|
||||
PROVIDERS.assignment_api.list_projects_for_user(token_ref.user_id))
|
||||
tenant_refs = [self.v3_to_v2_project(ref) for ref in tenant_refs
|
||||
if ref['domain_id'] == CONF.identity.default_domain_id]
|
||||
params = {
|
||||
|
@ -67,12 +69,12 @@ class ProjectAssignmentV3(controller.V3Controller):
|
|||
|
||||
def __init__(self):
|
||||
super(ProjectAssignmentV3, self).__init__()
|
||||
self.get_member_from_driver = self.resource_api.get_project
|
||||
self.get_member_from_driver = PROVIDERS.resource_api.get_project
|
||||
|
||||
@controller.filterprotected('domain_id', 'enabled', 'name')
|
||||
def list_user_projects(self, request, filters, user_id):
|
||||
hints = ProjectAssignmentV3.build_driver_hints(request, filters)
|
||||
refs = self.assignment_api.list_projects_for_user(user_id)
|
||||
refs = PROVIDERS.assignment_api.list_projects_for_user(user_id)
|
||||
return ProjectAssignmentV3.wrap_collection(request.context_dict,
|
||||
refs,
|
||||
hints=hints)
|
||||
|
@ -98,14 +100,14 @@ class RoleV3(controller.V3Controller):
|
|||
|
||||
def __init__(self):
|
||||
super(RoleV3, self).__init__()
|
||||
self.get_member_from_driver = self.role_api.get_role
|
||||
self.get_member_from_driver = PROVIDERS.role_api.get_role
|
||||
|
||||
def _is_domain_role(self, role):
|
||||
return role.get('domain_id') is not None
|
||||
|
||||
def _is_domain_role_target(self, role_id):
|
||||
try:
|
||||
role = self.role_api.get_role(role_id)
|
||||
role = PROVIDERS.role_api.get_role(role_id)
|
||||
except exception.RoleNotFound:
|
||||
# We hide this error since we have not yet carried out a policy
|
||||
# check - and it maybe that the caller isn't authorized to make
|
||||
|
@ -208,25 +210,27 @@ class RoleV3(controller.V3Controller):
|
|||
role = self._assign_unique_id(role)
|
||||
|
||||
ref = self._normalize_dict(role)
|
||||
ref = self.role_api.create_role(ref['id'],
|
||||
ref,
|
||||
initiator=request.audit_initiator)
|
||||
ref = PROVIDERS.role_api.create_role(
|
||||
ref['id'],
|
||||
ref,
|
||||
initiator=request.audit_initiator)
|
||||
return RoleV3.wrap_member(request.context_dict, ref)
|
||||
|
||||
def _list_roles(self, request, filters):
|
||||
hints = RoleV3.build_driver_hints(request, filters)
|
||||
refs = self.role_api.list_roles(hints=hints)
|
||||
refs = PROVIDERS.role_api.list_roles(hints=hints)
|
||||
return RoleV3.wrap_collection(request.context_dict, refs, hints=hints)
|
||||
|
||||
def _update_role(self, request, role_id, role):
|
||||
self._require_matching_id(role_id, role)
|
||||
ref = self.role_api.update_role(
|
||||
ref = PROVIDERS.role_api.update_role(
|
||||
role_id, role, initiator=request.audit_initiator
|
||||
)
|
||||
return RoleV3.wrap_member(request.context_dict, ref)
|
||||
|
||||
def _delete_role(self, request, role_id):
|
||||
self.role_api.delete_role(role_id, initiator=request.audit_initiator)
|
||||
PROVIDERS.role_api.delete_role(role_id,
|
||||
initiator=request.audit_initiator)
|
||||
|
||||
@classmethod
|
||||
def build_driver_hints(cls, request, supported_filters):
|
||||
|
@ -251,9 +255,9 @@ class ImpliedRolesV3(controller.V3Controller):
|
|||
def _check_implies_role(self, request, prep_info,
|
||||
prior_role_id, implied_role_id=None):
|
||||
ref = {}
|
||||
ref['prior_role'] = self.role_api.get_role(prior_role_id)
|
||||
ref['prior_role'] = PROVIDERS.role_api.get_role(prior_role_id)
|
||||
if implied_role_id:
|
||||
ref['implied_role'] = self.role_api.get_role(implied_role_id)
|
||||
ref['implied_role'] = PROVIDERS.role_api.get_role(implied_role_id)
|
||||
|
||||
self.check_protection(request, prep_info, ref)
|
||||
|
||||
|
@ -278,7 +282,7 @@ class ImpliedRolesV3(controller.V3Controller):
|
|||
return implied_response
|
||||
|
||||
def _populate_prior_role_response(self, endpoint, prior_id):
|
||||
prior_role = self.role_api.get_role(prior_id)
|
||||
prior_role = PROVIDERS.role_api.get_role(prior_id)
|
||||
response = {
|
||||
"role_inference": {
|
||||
"prior_role": self._prior_role_stanza(
|
||||
|
@ -292,7 +296,7 @@ class ImpliedRolesV3(controller.V3Controller):
|
|||
response = self._populate_prior_role_response(endpoint, prior_id)
|
||||
response["role_inference"]['implies'] = []
|
||||
for implied_id in implied_ids:
|
||||
implied_role = self.role_api.get_role(implied_id)
|
||||
implied_role = PROVIDERS.role_api.get_role(implied_id)
|
||||
implied_response = self._implied_role_stanza(
|
||||
endpoint, implied_role)
|
||||
response["role_inference"]['implies'].append(implied_response)
|
||||
|
@ -303,7 +307,7 @@ class ImpliedRolesV3(controller.V3Controller):
|
|||
|
||||
def _populate_implied_role_response(self, endpoint, prior_id, implied_id):
|
||||
response = self._populate_prior_role_response(endpoint, prior_id)
|
||||
implied_role = self.role_api.get_role(implied_id)
|
||||
implied_role = PROVIDERS.role_api.get_role(implied_id)
|
||||
stanza = self._implied_role_stanza(endpoint, implied_role)
|
||||
response["role_inference"]['implies'] = stanza
|
||||
response["links"] = {
|
||||
|
@ -314,7 +318,8 @@ class ImpliedRolesV3(controller.V3Controller):
|
|||
|
||||
@controller.protected(callback=_check_implies_role)
|
||||
def get_implied_role(self, request, prior_role_id, implied_role_id):
|
||||
ref = self.role_api.get_implied_role(prior_role_id, implied_role_id)
|
||||
ref = PROVIDERS.role_api.get_implied_role(prior_role_id,
|
||||
implied_role_id)
|
||||
|
||||
prior_id = ref['prior_role_id']
|
||||
implied_id = ref['implied_role_id']
|
||||
|
@ -326,11 +331,11 @@ class ImpliedRolesV3(controller.V3Controller):
|
|||
|
||||
@controller.protected(callback=_check_implies_role)
|
||||
def check_implied_role(self, request, prior_role_id, implied_role_id):
|
||||
self.role_api.get_implied_role(prior_role_id, implied_role_id)
|
||||
PROVIDERS.role_api.get_implied_role(prior_role_id, implied_role_id)
|
||||
|
||||
@controller.protected(callback=_check_implies_role)
|
||||
def create_implied_role(self, request, prior_role_id, implied_role_id):
|
||||
self.role_api.create_implied_role(prior_role_id, implied_role_id)
|
||||
PROVIDERS.role_api.create_implied_role(prior_role_id, implied_role_id)
|
||||
return wsgi.render_response(
|
||||
self.get_implied_role(request,
|
||||
prior_role_id,
|
||||
|
@ -339,11 +344,11 @@ class ImpliedRolesV3(controller.V3Controller):
|
|||
|
||||
@controller.protected(callback=_check_implies_role)
|
||||
def delete_implied_role(self, request, prior_role_id, implied_role_id):
|
||||
self.role_api.delete_implied_role(prior_role_id, implied_role_id)
|
||||
PROVIDERS.role_api.delete_implied_role(prior_role_id, implied_role_id)
|
||||
|
||||
@controller.protected(callback=_check_implies_role)
|
||||
def list_implied_roles(self, request, prior_role_id):
|
||||
ref = self.role_api.list_implied_roles(prior_role_id)
|
||||
ref = PROVIDERS.role_api.list_implied_roles(prior_role_id)
|
||||
implied_ids = [r['implied_role_id'] for r in ref]
|
||||
endpoint = super(controller.V3Controller, ImpliedRolesV3).base_url(
|
||||
request.context_dict, 'public')
|
||||
|
@ -355,9 +360,9 @@ class ImpliedRolesV3(controller.V3Controller):
|
|||
|
||||
@controller.protected()
|
||||
def list_role_inference_rules(self, request):
|
||||
refs = self.role_api.list_role_inference_rules()
|
||||
refs = PROVIDERS.role_api.list_role_inference_rules()
|
||||
role_dict = {role_ref['id']: role_ref
|
||||
for role_ref in self.role_api.list_roles()}
|
||||
for role_ref in PROVIDERS.role_api.list_roles()}
|
||||
|
||||
rules = dict()
|
||||
endpoint = super(controller.V3Controller, ImpliedRolesV3).base_url(
|
||||
|
@ -389,7 +394,7 @@ class GrantAssignmentV3(controller.V3Controller):
|
|||
|
||||
def __init__(self):
|
||||
super(GrantAssignmentV3, self).__init__()
|
||||
self.get_member_from_driver = self.role_api.get_role
|
||||
self.get_member_from_driver = PROVIDERS.role_api.get_role
|
||||
|
||||
def _require_domain_xor_project(self, domain_id, project_id):
|
||||
if domain_id and project_id:
|
||||
|
@ -424,20 +429,20 @@ class GrantAssignmentV3(controller.V3Controller):
|
|||
"""
|
||||
ref = {}
|
||||
if role_id:
|
||||
ref['role'] = self.role_api.get_role(role_id)
|
||||
ref['role'] = PROVIDERS.role_api.get_role(role_id)
|
||||
if user_id:
|
||||
try:
|
||||
ref['user'] = self.identity_api.get_user(user_id)
|
||||
ref['user'] = PROVIDERS.identity_api.get_user(user_id)
|
||||
except exception.UserNotFound:
|
||||
if not allow_no_user:
|
||||
raise
|
||||
else:
|
||||
ref['group'] = self.identity_api.get_group(group_id)
|
||||
ref['group'] = PROVIDERS.identity_api.get_group(group_id)
|
||||
|
||||
if domain_id:
|
||||
ref['domain'] = self.resource_api.get_domain(domain_id)
|
||||
ref['domain'] = PROVIDERS.resource_api.get_domain(domain_id)
|
||||
else:
|
||||
ref['project'] = self.resource_api.get_project(project_id)
|
||||
ref['project'] = PROVIDERS.resource_api.get_project(project_id)
|
||||
|
||||
self.check_protection(request, protection, ref)
|
||||
|
||||
|
@ -449,7 +454,7 @@ class GrantAssignmentV3(controller.V3Controller):
|
|||
self._require_user_xor_group(user_id, group_id)
|
||||
|
||||
inherited_to_projects = self._check_if_inherited(request.context_dict)
|
||||
self.assignment_api.create_grant(
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
role_id, user_id=user_id, group_id=group_id, domain_id=domain_id,
|
||||
project_id=project_id, inherited_to_projects=inherited_to_projects,
|
||||
context=request.context_dict)
|
||||
|
@ -462,7 +467,7 @@ class GrantAssignmentV3(controller.V3Controller):
|
|||
self._require_user_xor_group(user_id, group_id)
|
||||
|
||||
inherited_to_projects = self._check_if_inherited(request.context_dict)
|
||||
refs = self.assignment_api.list_grants(
|
||||
refs = PROVIDERS.assignment_api.list_grants(
|
||||
user_id=user_id, group_id=group_id, domain_id=domain_id,
|
||||
project_id=project_id, inherited_to_projects=inherited_to_projects
|
||||
)
|
||||
|
@ -476,7 +481,7 @@ class GrantAssignmentV3(controller.V3Controller):
|
|||
self._require_user_xor_group(user_id, group_id)
|
||||
|
||||
inherited_to_projects = self._check_if_inherited(request.context_dict)
|
||||
self.assignment_api.get_grant(
|
||||
PROVIDERS.assignment_api.get_grant(
|
||||
role_id, user_id=user_id, group_id=group_id, domain_id=domain_id,
|
||||
project_id=project_id, inherited_to_projects=inherited_to_projects
|
||||
)
|
||||
|
@ -493,7 +498,7 @@ class GrantAssignmentV3(controller.V3Controller):
|
|||
self._require_user_xor_group(user_id, group_id)
|
||||
|
||||
inherited_to_projects = self._check_if_inherited(request.context_dict)
|
||||
self.assignment_api.delete_grant(
|
||||
PROVIDERS.assignment_api.delete_grant(
|
||||
role_id, user_id=user_id, group_id=group_id, domain_id=domain_id,
|
||||
project_id=project_id, inherited_to_projects=inherited_to_projects,
|
||||
context=request.context_dict)
|
||||
|
@ -747,7 +752,7 @@ class RoleAssignmentV3(controller.V3Controller):
|
|||
domain=params.get(
|
||||
'scope.domain.id'))
|
||||
|
||||
refs = self.assignment_api.list_role_assignments(
|
||||
refs = PROVIDERS.assignment_api.list_role_assignments(
|
||||
role_id=params.get('role.id'),
|
||||
user_id=params.get('user.id'),
|
||||
group_id=params.get('group.id'),
|
||||
|
@ -779,7 +784,7 @@ class RoleAssignmentV3(controller.V3Controller):
|
|||
ref = {}
|
||||
for filter, value in protection_info.get('filter_attr', {}).items():
|
||||
if filter == 'scope.project.id' and value:
|
||||
ref['project'] = self.resource_api.get_project(value)
|
||||
ref['project'] = PROVIDERS.resource_api.get_project(value)
|
||||
|
||||
self.check_protection(request, protection_info, ref)
|
||||
|
||||
|
|
|
@ -84,10 +84,10 @@ class Manager(manager.Manager):
|
|||
# TODO(morganfainberg): Implement a way to get only group_ids
|
||||
# instead of the more expensive to_dict() call for each record.
|
||||
return [x['id'] for
|
||||
x in self.identity_api.list_groups_for_user(user_id)]
|
||||
x in PROVIDERS.identity_api.list_groups_for_user(user_id)]
|
||||
|
||||
def list_user_ids_for_project(self, tenant_id):
|
||||
self.resource_api.get_project(tenant_id)
|
||||
PROVIDERS.resource_api.get_project(tenant_id)
|
||||
assignment_list = self.list_role_assignments(
|
||||
project_id=tenant_id, effective=True)
|
||||
# Use set() to process the list to remove any duplicates
|
||||
|
@ -106,7 +106,7 @@ class Manager(manager.Manager):
|
|||
exist.
|
||||
|
||||
"""
|
||||
self.resource_api.get_project(tenant_id)
|
||||
PROVIDERS.resource_api.get_project(tenant_id)
|
||||
assignment_list = self.list_role_assignments(
|
||||
user_id=user_id, project_id=tenant_id, effective=True)
|
||||
# Use set() to process the list to remove any duplicates
|
||||
|
@ -120,7 +120,7 @@ class Manager(manager.Manager):
|
|||
:raises keystone.exception.DomainNotFound: If the domain doesn't exist.
|
||||
|
||||
"""
|
||||
self.resource_api.get_domain(domain_id)
|
||||
PROVIDERS.resource_api.get_domain(domain_id)
|
||||
assignment_list = self.list_role_assignments(
|
||||
user_id=user_id, domain_id=domain_id, effective=True)
|
||||
# Use set() to process the list to remove any duplicates
|
||||
|
@ -134,7 +134,7 @@ class Manager(manager.Manager):
|
|||
if not group_ids:
|
||||
return []
|
||||
if project_id is not None:
|
||||
self.resource_api.get_project(project_id)
|
||||
PROVIDERS.resource_api.get_project(project_id)
|
||||
assignment_list = self.list_role_assignments(
|
||||
source_from_group_ids=group_ids, project_id=project_id,
|
||||
effective=True)
|
||||
|
@ -146,11 +146,11 @@ class Manager(manager.Manager):
|
|||
raise AttributeError(_("Must specify either domain or project"))
|
||||
|
||||
role_ids = list(set([x['role_id'] for x in assignment_list]))
|
||||
return self.role_api.list_roles_from_ids(role_ids)
|
||||
return PROVIDERS.role_api.list_roles_from_ids(role_ids)
|
||||
|
||||
def ensure_default_role(self):
|
||||
try:
|
||||
self.role_api.get_role(CONF.member_role_id)
|
||||
PROVIDERS.role_api.get_role(CONF.member_role_id)
|
||||
except exception.RoleNotFound:
|
||||
LOG.info("Creating the default role %s "
|
||||
"because it does not exist.",
|
||||
|
@ -158,7 +158,7 @@ class Manager(manager.Manager):
|
|||
role = {'id': CONF.member_role_id,
|
||||
'name': CONF.member_role_name}
|
||||
try:
|
||||
self.role_api.create_role(CONF.member_role_id, role)
|
||||
PROVIDERS.role_api.create_role(CONF.member_role_id, role)
|
||||
except exception.Conflict:
|
||||
LOG.info("Creating the default role %s failed because it "
|
||||
"was already created",
|
||||
|
@ -175,8 +175,8 @@ class Manager(manager.Manager):
|
|||
# create_grant so that the notifications.role_assignment decorator
|
||||
# will work.
|
||||
|
||||
self.resource_api.get_project(project_id)
|
||||
self.role_api.get_role(role_id)
|
||||
PROVIDERS.resource_api.get_project(project_id)
|
||||
PROVIDERS.role_api.get_role(role_id)
|
||||
self.driver.add_role_to_user_and_project(user_id, project_id, role_id)
|
||||
|
||||
def add_role_to_user_and_project(self, user_id, tenant_id, role_id):
|
||||
|
@ -200,7 +200,7 @@ class Manager(manager.Manager):
|
|||
# Use set() to process the list to remove any duplicates
|
||||
project_ids = list(set([x['project_id'] for x in assignment_list
|
||||
if x.get('project_id')]))
|
||||
return self.resource_api.list_projects_from_ids(project_ids)
|
||||
return PROVIDERS.resource_api.list_projects_from_ids(project_ids)
|
||||
|
||||
# TODO(henry-nash): We might want to consider list limiting this at some
|
||||
# point in the future.
|
||||
|
@ -211,21 +211,21 @@ class Manager(manager.Manager):
|
|||
# Use set() to process the list to remove any duplicates
|
||||
domain_ids = list(set([x['domain_id'] for x in assignment_list
|
||||
if x.get('domain_id')]))
|
||||
return self.resource_api.list_domains_from_ids(domain_ids)
|
||||
return PROVIDERS.resource_api.list_domains_from_ids(domain_ids)
|
||||
|
||||
def list_domains_for_groups(self, group_ids):
|
||||
assignment_list = self.list_role_assignments(
|
||||
source_from_group_ids=group_ids, effective=True)
|
||||
domain_ids = list(set([x['domain_id'] for x in assignment_list
|
||||
if x.get('domain_id')]))
|
||||
return self.resource_api.list_domains_from_ids(domain_ids)
|
||||
return PROVIDERS.resource_api.list_domains_from_ids(domain_ids)
|
||||
|
||||
def list_projects_for_groups(self, group_ids):
|
||||
assignment_list = self.list_role_assignments(
|
||||
source_from_group_ids=group_ids, effective=True)
|
||||
project_ids = list(set([x['project_id'] for x in assignment_list
|
||||
if x.get('project_id')]))
|
||||
return self.resource_api.list_projects_from_ids(project_ids)
|
||||
return PROVIDERS.resource_api.list_projects_from_ids(project_ids)
|
||||
|
||||
@notifications.role_assignment('deleted')
|
||||
def _remove_role_from_user_and_project_adapter(self, role_id, user_id=None,
|
||||
|
@ -244,7 +244,8 @@ class Manager(manager.Manager):
|
|||
if project_id:
|
||||
self._emit_invalidate_grant_token_persistence(user_id, project_id)
|
||||
else:
|
||||
self.identity_api.emit_invalidate_user_token_persistence(user_id)
|
||||
PROVIDERS.identity_api.emit_invalidate_user_token_persistence(
|
||||
user_id)
|
||||
|
||||
def remove_role_from_user_and_project(self, user_id, tenant_id, role_id):
|
||||
self._remove_role_from_user_and_project_adapter(
|
||||
|
@ -252,7 +253,7 @@ class Manager(manager.Manager):
|
|||
COMPUTED_ASSIGNMENTS_REGION.invalidate()
|
||||
|
||||
def _emit_invalidate_user_token_persistence(self, user_id):
|
||||
self.identity_api.emit_invalidate_user_token_persistence(user_id)
|
||||
PROVIDERS.identity_api.emit_invalidate_user_token_persistence(user_id)
|
||||
|
||||
# NOTE(lbragstad): The previous notification decorator behavior didn't
|
||||
# send the notification unless the operation was successful. We
|
||||
|
@ -263,7 +264,7 @@ class Manager(manager.Manager):
|
|||
)
|
||||
|
||||
def _emit_invalidate_grant_token_persistence(self, user_id, project_id):
|
||||
self.identity_api.emit_invalidate_grant_token_persistence(
|
||||
PROVIDERS.identity_api.emit_invalidate_grant_token_persistence(
|
||||
{'user_id': user_id, 'project_id': project_id}
|
||||
)
|
||||
|
||||
|
@ -271,11 +272,11 @@ class Manager(manager.Manager):
|
|||
def create_grant(self, role_id, user_id=None, group_id=None,
|
||||
domain_id=None, project_id=None,
|
||||
inherited_to_projects=False, context=None):
|
||||
role = self.role_api.get_role(role_id)
|
||||
role = PROVIDERS.role_api.get_role(role_id)
|
||||
if domain_id:
|
||||
self.resource_api.get_domain(domain_id)
|
||||
PROVIDERS.resource_api.get_domain(domain_id)
|
||||
if project_id:
|
||||
project = self.resource_api.get_project(project_id)
|
||||
project = PROVIDERS.resource_api.get_project(project_id)
|
||||
|
||||
# For domain specific roles, the domain of the project
|
||||
# and role must match
|
||||
|
@ -293,11 +294,11 @@ class Manager(manager.Manager):
|
|||
def get_grant(self, role_id, user_id=None, group_id=None,
|
||||
domain_id=None, project_id=None,
|
||||
inherited_to_projects=False):
|
||||
role_ref = self.role_api.get_role(role_id)
|
||||
role_ref = PROVIDERS.role_api.get_role(role_id)
|
||||
if domain_id:
|
||||
self.resource_api.get_domain(domain_id)
|
||||
PROVIDERS.resource_api.get_domain(domain_id)
|
||||
if project_id:
|
||||
self.resource_api.get_project(project_id)
|
||||
PROVIDERS.resource_api.get_project(project_id)
|
||||
self.check_grant_role_id(
|
||||
role_id, user_id=user_id, group_id=group_id, domain_id=domain_id,
|
||||
project_id=project_id, inherited_to_projects=inherited_to_projects
|
||||
|
@ -308,14 +309,14 @@ class Manager(manager.Manager):
|
|||
domain_id=None, project_id=None,
|
||||
inherited_to_projects=False):
|
||||
if domain_id:
|
||||
self.resource_api.get_domain(domain_id)
|
||||
PROVIDERS.resource_api.get_domain(domain_id)
|
||||
if project_id:
|
||||
self.resource_api.get_project(project_id)
|
||||
PROVIDERS.resource_api.get_project(project_id)
|
||||
grant_ids = self.list_grant_role_ids(
|
||||
user_id=user_id, group_id=group_id, domain_id=domain_id,
|
||||
project_id=project_id, inherited_to_projects=inherited_to_projects
|
||||
)
|
||||
return self.role_api.list_roles_from_ids(grant_ids)
|
||||
return PROVIDERS.role_api.list_roles_from_ids(grant_ids)
|
||||
|
||||
def _emit_revoke_user_grant(self, role_id, user_id, domain_id, project_id,
|
||||
inherited_to_projects, context):
|
||||
|
@ -327,7 +328,7 @@ class Manager(manager.Manager):
|
|||
inherited_to_projects=False, context=None):
|
||||
|
||||
# check if role exist before any processing
|
||||
self.role_api.get_role(role_id)
|
||||
PROVIDERS.role_api.get_role(role_id)
|
||||
|
||||
if group_id is None:
|
||||
# check if role exists on the user before revoke
|
||||
|
@ -350,7 +351,7 @@ class Manager(manager.Manager):
|
|||
if CONF.token.revoke_by_id:
|
||||
# NOTE(morganfainberg): The user ids are the important part
|
||||
# for invalidating tokens below, so extract them here.
|
||||
for user in self.identity_api.list_users_in_group(
|
||||
for user in PROVIDERS.identity_api.list_users_in_group(
|
||||
group_id):
|
||||
self._emit_revoke_user_grant(
|
||||
role_id, user['id'], domain_id, project_id,
|
||||
|
@ -360,9 +361,9 @@ class Manager(manager.Manager):
|
|||
group_id)
|
||||
|
||||
if domain_id:
|
||||
self.resource_api.get_domain(domain_id)
|
||||
PROVIDERS.resource_api.get_domain(domain_id)
|
||||
if project_id:
|
||||
self.resource_api.get_project(project_id)
|
||||
PROVIDERS.resource_api.get_project(project_id)
|
||||
self.driver.delete_grant(
|
||||
role_id, user_id=user_id, group_id=group_id, domain_id=domain_id,
|
||||
project_id=project_id, inherited_to_projects=inherited_to_projects
|
||||
|
@ -452,7 +453,8 @@ class Manager(manager.Manager):
|
|||
# if a group wasn't found in the backend, users are set
|
||||
# as empty list.
|
||||
try:
|
||||
users = self.identity_api.list_users_in_group(ref['group_id'])
|
||||
users = PROVIDERS.identity_api.list_users_in_group(
|
||||
ref['group_id'])
|
||||
except exception.GroupNotFound:
|
||||
LOG.warning('Group %(group)s was not found but still has role '
|
||||
'assignments.', {'group': ref['group_id']})
|
||||
|
@ -547,24 +549,25 @@ class Manager(manager.Manager):
|
|||
# again all the project_ids will get the assignment. If,
|
||||
# however, the assignment point is within the subtree,
|
||||
# then only a partial tree will get the assignment.
|
||||
resource_api = PROVIDERS.resource_api
|
||||
if ref.get('project_id'):
|
||||
if ref['project_id'] in project_ids:
|
||||
project_ids = (
|
||||
[x['id'] for x in
|
||||
self.resource_api.list_projects_in_subtree(
|
||||
ref['project_id'])])
|
||||
resource_api.list_projects_in_subtree(
|
||||
ref['project_id'])])
|
||||
elif ref.get('domain_id'):
|
||||
# A domain inherited assignment, so apply it to all projects
|
||||
# in this domain
|
||||
project_ids = (
|
||||
[x['id'] for x in
|
||||
self.resource_api.list_projects_in_domain(
|
||||
PROVIDERS.resource_api.list_projects_in_domain(
|
||||
ref['domain_id'])])
|
||||
else:
|
||||
# It must be a project assignment, so apply it to its subtree
|
||||
project_ids = (
|
||||
[x['id'] for x in
|
||||
self.resource_api.list_projects_in_subtree(
|
||||
PROVIDERS.resource_api.list_projects_in_subtree(
|
||||
ref['project_id'])])
|
||||
|
||||
new_refs = []
|
||||
|
@ -630,7 +633,7 @@ class Manager(manager.Manager):
|
|||
implied_roles = implied_roles_cache[next_role_id]
|
||||
else:
|
||||
implied_roles = (
|
||||
self.role_api.list_implied_roles(next_role_id))
|
||||
PROVIDERS.role_api.list_implied_roles(next_role_id))
|
||||
implied_roles_cache[next_role_id] = implied_roles
|
||||
for implied_role in implied_roles:
|
||||
implied_ref = (
|
||||
|
@ -665,7 +668,7 @@ class Manager(manager.Manager):
|
|||
|
||||
"""
|
||||
def _role_is_global(role_id):
|
||||
ref = self.role_api.get_role(role_id)
|
||||
ref = PROVIDERS.role_api.get_role(role_id)
|
||||
return (ref['domain_id'] is None)
|
||||
|
||||
filter_results = []
|
||||
|
@ -760,7 +763,7 @@ class Manager(manager.Manager):
|
|||
# their parents projects.
|
||||
|
||||
# List inherited assignments from the project's domain
|
||||
proj_domain_id = self.resource_api.get_project(
|
||||
proj_domain_id = PROVIDERS.resource_api.get_project(
|
||||
project_id)['domain_id']
|
||||
inherited_refs += self.driver.list_role_assignments(
|
||||
role_id=role_id, domain_id=proj_domain_id,
|
||||
|
@ -772,7 +775,7 @@ class Manager(manager.Manager):
|
|||
# come from are from parents of the main project or
|
||||
# inherited assignments on the project or subtree itself.
|
||||
source_ids = [project['id'] for project in
|
||||
self.resource_api.list_project_parents(
|
||||
PROVIDERS.resource_api.list_project_parents(
|
||||
project_id)]
|
||||
if subtree_ids:
|
||||
source_ids += project_ids_of_interest
|
||||
|
@ -911,7 +914,8 @@ class Manager(manager.Manager):
|
|||
if project_id and include_subtree:
|
||||
subtree_ids = (
|
||||
[x['id'] for x in
|
||||
self.resource_api.list_projects_in_subtree(project_id)])
|
||||
PROVIDERS.resource_api.list_projects_in_subtree(
|
||||
project_id)])
|
||||
|
||||
if effective:
|
||||
role_assignments = self._list_effective_role_assignments(
|
||||
|
@ -934,14 +938,14 @@ class Manager(manager.Manager):
|
|||
new_assign = copy.deepcopy(role_asgmt)
|
||||
for key, value in role_asgmt.items():
|
||||
if key == 'domain_id':
|
||||
_domain = self.resource_api.get_domain(value)
|
||||
_domain = PROVIDERS.resource_api.get_domain(value)
|
||||
new_assign['domain_name'] = _domain['name']
|
||||
elif key == 'user_id':
|
||||
try:
|
||||
# Note(knikolla): Try to get the user, otherwise
|
||||
# if the user wasn't found in the backend
|
||||
# use empty values.
|
||||
_user = self.identity_api.get_user(value)
|
||||
_user = PROVIDERS.identity_api.get_user(value)
|
||||
except exception.UserNotFound:
|
||||
msg = ('User %(user)s not found in the'
|
||||
' backend but still has role assignments.')
|
||||
|
@ -953,14 +957,14 @@ class Manager(manager.Manager):
|
|||
new_assign['user_name'] = _user['name']
|
||||
new_assign['user_domain_id'] = _user['domain_id']
|
||||
new_assign['user_domain_name'] = (
|
||||
self.resource_api.get_domain(_user['domain_id'])
|
||||
['name'])
|
||||
PROVIDERS.resource_api.get_domain(
|
||||
_user['domain_id'])['name'])
|
||||
elif key == 'group_id':
|
||||
try:
|
||||
# Note(knikolla): Try to get the group, otherwise
|
||||
# if the group wasn't found in the backend
|
||||
# use empty values.
|
||||
_group = self.identity_api.get_group(value)
|
||||
_group = PROVIDERS.identity_api.get_group(value)
|
||||
except exception.GroupNotFound:
|
||||
msg = ('Group %(group)s not found in the'
|
||||
' backend but still has role assignments.')
|
||||
|
@ -972,23 +976,23 @@ class Manager(manager.Manager):
|
|||
new_assign['group_name'] = _group['name']
|
||||
new_assign['group_domain_id'] = _group['domain_id']
|
||||
new_assign['group_domain_name'] = (
|
||||
self.resource_api.get_domain(_group['domain_id'])
|
||||
['name'])
|
||||
PROVIDERS.resource_api.get_domain(
|
||||
_group['domain_id'])['name'])
|
||||
elif key == 'project_id':
|
||||
_project = self.resource_api.get_project(value)
|
||||
_project = PROVIDERS.resource_api.get_project(value)
|
||||
new_assign['project_name'] = _project['name']
|
||||
new_assign['project_domain_id'] = _project['domain_id']
|
||||
new_assign['project_domain_name'] = (
|
||||
self.resource_api.get_domain(_project['domain_id'])
|
||||
['name'])
|
||||
PROVIDERS.resource_api.get_domain(
|
||||
_project['domain_id'])['name'])
|
||||
elif key == 'role_id':
|
||||
_role = self.role_api.get_role(value)
|
||||
_role = PROVIDERS.role_api.get_role(value)
|
||||
new_assign['role_name'] = _role['name']
|
||||
if _role['domain_id'] is not None:
|
||||
new_assign['role_domain_id'] = _role['domain_id']
|
||||
new_assign['role_domain_name'] = (
|
||||
self.resource_api.get_domain(_role['domain_id'])
|
||||
['name'])
|
||||
PROVIDERS.resource_api.get_domain(
|
||||
_role['domain_id'])['name'])
|
||||
role_assign_list.append(new_assign)
|
||||
return role_assign_list
|
||||
|
||||
|
@ -1017,7 +1021,7 @@ class Manager(manager.Manager):
|
|||
# Add in any users for this group, being tolerant of any
|
||||
# cross-driver database integrity errors.
|
||||
try:
|
||||
users = self.identity_api.list_users_in_group(
|
||||
users = PROVIDERS.identity_api.list_users_in_group(
|
||||
assignment['group_id'])
|
||||
except exception.GroupNotFound:
|
||||
# Ignore it, but log a debug message
|
||||
|
@ -1095,7 +1099,7 @@ class Manager(manager.Manager):
|
|||
:param role_id: the ID of the role to grant on the system
|
||||
|
||||
"""
|
||||
role = self.role_api.get_role(role_id)
|
||||
role = PROVIDERS.role_api.get_role(role_id)
|
||||
if role.get('domain_id'):
|
||||
raise exception.ValidationError(
|
||||
'Role %(role_id)s is a domain-specific role. Unable to use '
|
||||
|
@ -1162,7 +1166,7 @@ class Manager(manager.Manager):
|
|||
:param role_id: the ID of the role to grant on the system
|
||||
|
||||
"""
|
||||
role = self.role_api.get_role(role_id)
|
||||
role = PROVIDERS.role_api.get_role(role_id)
|
||||
if role.get('domain_id'):
|
||||
raise exception.ValidationError(
|
||||
'Role %(role_id)s is a domain-specific role. Unable to use '
|
||||
|
@ -1286,8 +1290,8 @@ class RoleManager(manager.Manager):
|
|||
return ret
|
||||
|
||||
def delete_role(self, role_id, initiator=None):
|
||||
self.assignment_api.delete_tokens_for_role_assignments(role_id)
|
||||
self.assignment_api.delete_role_assignments(role_id)
|
||||
PROVIDERS.assignment_api.delete_tokens_for_role_assignments(role_id)
|
||||
PROVIDERS.assignment_api.delete_role_assignments(role_id)
|
||||
self.driver.delete_role(role_id)
|
||||
notifications.Audit.deleted(self._ROLE, role_id, initiator)
|
||||
self.get_role.invalidate(self, role_id)
|
||||
|
|
Loading…
Reference in New Issue